Suit Seeks To Hook Phishers

A South Carolina credit union is taking what legal experts say is a rare legal approach to combat phishing by filing a civil lawsuit and winning a court order to serve subpoenas on Internet service providers and phone companies related to the case without waiting for a pretrial conference.

The $687 million AllSouth FCU in Columbia, S.C., filed a civil lawsuit last month in U.S. ­District Court for the District of South ­Carolina against unknown perpetrators that gained access to at least 125 members’ accounts, ­according to court documents.

The lawsuit charged unnamed defendants with infringing upon AllSouth’s trademark and violating the Racketeer Influenced and Corrupt Organizations Act.

The credit union, which has more than 20 locations and 100,000 members, is seeking an immediate injunction against the fraudsters and triple damages, which are mandatory under RICO statutes.

In effort to identify and locate criminals who launched a SMS phishing scam in early April, a U.S. District Court judge has issued an order granting expedited discovery, allowing AllSouth’s legal team to serve subpoenas on third-party communication providers.

Unlike a criminal case, a civil lawsuit allows different methods of discovering evidence, which is likely why AllSouth has adopted the tactic. AllSouth officials ­declined to comment, citing the ongoing investigation.

According to court records, the fraudsters sent phishing text ­messages by obtaining a list of AT&T customer names with South Carolina’s 803 area code. Recipients were told their account had limited access or restricted access and were instructed to call a ­toll-free telephone number.

Callers were greeted with an ­automated recording stating, “Welcome to AllSouth Federal Credit Union,” and prompted to provide personal information such as account, Social Security and driver’s license numbers, which perpetrators used to log on to AllSouth’s online banking system and transfer money out of victims’ accounts.

The exact number of victims is yet to be determined, but at least 125 credit union members reported to AllSouth that they revealed personal data during the phishing scam, according to court documents.

It’s rare for judges in civil cases to grant an expedited discovery order to issue subpoenas to third-party service providers, according to legal experts, but this is not the first time a financial institution has ­utilized the tactic in a phishing case.

Records of communications providers are given extra protection by the Stored Communications Act portion of the Electronic Communications Privacy Act of 1986, but the laws have gotten murky with increasing technology such as social media and cloud storage.

“It’s my impression that civil discovery requests to third-party service providers for the content of communication under the Electronic Communications Privacy Act are very unusual and may not be allowed by the statute,” Chris Calabrese, legislative counsel for the American Civil Liberties Union, said in email to Credit Union Times.